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ABSTRACT 

Security is a key issue to both computer and computer 
networks. Intrusion detection System (IDS) is one of the major 
research problems in network security. IDSs are developed to 
detect both known and unknown attacks. There are many 
techniques used in IDS for protecting computers and networks 
from network based and host based attacks. Various Machine 
learning techniques are used in IDS. This study analyzes 
machine learning techniques in IDS. It also reviews many 
related studies done in the period from 2000 to 2012 and it 
focuses on machine learning techniques. Related studies 
include single, hybrid, ensemble classifiers, baseline and 
datasets used. 

Index Terms - Security, Intrusion detection, Machine 
learning techniques, Classification. 

1. INTRODUCTION 

Internet has become very popular. It is used almost everywhere 
including all types of business. Data and information are sent 
and received through internet. Therefore, information security 
needs to be safeguarded against any intrusion; detection of 
which has been one of the main problems in this field. 

Intrusion detection Systems (IDSs) is a software or device that 
helps to resist network attacks. The goal of IDS is to have 
defense wall which does not allow such types of attacks. It 
detects unauthorized activities of a computer system or a 
network, firstly introduced by Anderson in 1980 [1]. IDS is an 
active and secure technology which insures confidentiality, 
integrity, availability and doesn’t allow the intruders to bypass 
the security mechanisms of a network or host [2]. There are 
two categories of intrusion detection system (IDS) [3]: 
Anomaly and misuse detection. Anomaly tries normal usage as 
intrusion, where as misuse uses well-known attacks. 

All previous techniques of machine learning techniques for IDS 
from 2000 to 2012 are going to be explained and analyzed for 
conclusive results and future direction. This paper has been 
organized as follow. Section 2 has an overview of different 
machine learning techniques used in IDS. Section 3 analyses 
related work. Section 4 concludes for future direction. 

2. MACHINE LEARNING TECHNIQUES 

While analyzing the previous work done on Intrusion Detection 
System related to machine learning techniques, it comes to fore 
that there are three main classifiers; Single classifiers, Hybrid 
classifiers and ensemble classifiers. 



Type of classifiers such as single, hybrid and ensemble and 
their references of publications from 2000 to 2012, are depicted 
in table 1 . 



Table 1: Articles written for types of classifiers. 



Types of 
Classifier 


Articles Written 


Single 


The references of articles written for single 
classifiers are as follows. 

[15, 23, 26, 27,28, 29, 30, 31, 32, 33, 34, 35, 
36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 

48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 

60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 

72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 

84, 85, 86, 87, 88, 89, 90,91,92] 


Hybrid 


The references of articles written for Hybrid 
classifiers are as follows. 

[8, 18, 30, 31, 93, 94, 95, 96, 97, 98, 99, 100, 
101, 102, 103, 104, 105, 106, 107, 108, 109, 

110, 111, 112, 113, 114, 115, 116, 117, 118, 

119, 120, 121, 122, 123, 124, 125, 126, 127, 

128, 129, 130, 131, 132, 133, 134, 135, 136, 

137, 138, 139, 140, 141, 142, 143, 144, 145, 

146, 147, 148, 149, 150] 


Ensembl 

e 


The references of articles written for Ensemble 
classifiers are as follows. 

[18, 20, 92, 97, 151, 152, 153, 154, 155, 156, 
157, 158, 159, 160, 161] 



Year- wise work done for single, hybrid and ensemble 
classifiers from 2000 to 2012 is shown in figure 1 . 



■ Single ■ Hybrid ■ Ensemble 




Years 



Fig. 1. Year- wise work done for types of classifier. 
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2.1. Single Classifiers: 

The single classifiers are given as under. 

2.1.1. Fuzzy Logic 

It is also known as fuzzy set theory, used for reasoning. Its 
value ranges from 0 to 1. e.g, raining is a natural event and it 
can be from slight to violent [4]. It is effective and very 
potential technique. It deals with human decision making and 
reasoning. It uses if then else rules. It is used in many 
engineering applications [5], but mainly in anomaly IDS. It is 
more effective in port scans and probes involving high resource 
consumption [6]. 

2.1.2. Genetic Algorithms 

It enables computer to have natural evolution and selection [7], 
and can work with huge population and can pick the superior 
items. Its choosing capability is based on some performance 
criteria [8]. 

It is inspired biologically heuristic search. IDS collects 
information on traffic then applies the GA and obtains the 
information which is normal or attack [9] . 

2.1.3. Self-Organizing Maps 

Self Organizing Maps (SOM) is unsupervised learning 
technique and a type of neural network. SOM algorithm can 
map a high dimension data in two dimension array. It is used 
for dimension reduction with one input layer and one 
Kohonen’s layer and it maps n-dimensions into two- 
dimensions. It can self categorize all the inputs providing 
straight forward methods for data clustering [10]. 

2.1.4. K-Nearest Neighbor 

K-nearest Neighbor (k-NN) is very old and simple method to 
classify samples [11] [12]. The K is a very important parameter 
in creating a K-NN classifier. Changing k value gives different 
performances. K-NN calculates a rough distance between two 
different points, being different from inductive approach and it 
is instance base learning. It searches some input vectors and 
classifies new instance and by this way finds a k-nearest 
neighbor [13]. 

2.1.5. Support Vector Machine 

Support Vector Machine (SVM) is proposed in [14]. Through 
support Vector Machine, the efficiency of classification can be 
enhanced by constructing a hyper plan, the SVM classifies the 
data into different groups, divides data into two groups; 
supports vectors and quadratic programming problem [15]. 

2.1.6. Artificial Neural Networks 

Artificial Neural Network (ANN) is an information processing 
unit. It mimics the neurons of a human brain [16]. Multilayer 
Perceptron is mostly used in neural network architecture. It is 
often used in pattern recognition problems. ANN is a 
classification technique. It is flexible and fast and can analyze 
the non linear data set with multi- variable [17]. 

2.1.7. Decision Trees 

Decision tree (DT) is a simple “if then else rules” but very 
powerful. It is an important classification algorithm. First we 
select the attributes and then it is capable of classifying the 
data. It classifies a sample going through a number of 
decisions. The first decision helps the second one and it 
becomes like a tree structure. The classification of sample starts 
with root node and ends with end node which is also called leaf 



node. Each end node (leaf node) represents a classification 
category [18]. 

Articles written for types of single classifier with different 
categories and the references of publications from 2000 to 
2012, are shown in table 2. Year-wise work done from years 
2000 to 2012 for single classifier with different categories is 
shown in figure 2. 



Table 2: Articles written for types of Single Classifiers with 
different categories. 



Category 


Articles Written 


K-NN 


The references of articles written for K-NN 
are as follows. 

[31,34, 35,43,45, 82, 162] 


DT 


The references of articles written for DT are 
as follows. 

[30, 32, 37, 76, 80, 162] 


GA 


The references of articles written for GA are 
as follows. 

[26, 36, 163, 164] 


Fuzzy 


The references of articles written for Fuzzy 


Logic 


logic are as follows. 
[29, 58] 


SVM 


The references of articles written for SVM 
are as follows. 

[15, 23, 28, 31, 33, 37, 42, 44, 47, 52, 54, 
55, 57, 59, 62, 65, 66, 67, 69, 72, 73, 77, 79, 
84, 85, 86, 89, 90,91, 117, 158] 


Bayesian 


The references of articles written for 
Bayesian are as follows. 

[39, 40, 49,61] 



■ K-NN ■ DT ■ GA ■ Bayesian ■ Fuzzy Logic ■ SVM ■ ANN 




Years 



Fig. 2. Year- wise work done for single classifiers 

2.2. Hybrid Classifiers 

Mostly the work is done to build a better system and therefore, 
leads to the development of hybrid classifiers for Intrusion 
Detection System. Hybrid classifiers combine few Machine 
Learning Techniques to improve system performance for 
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example, DT and GA or K-NN and SVM. This hybrid 
approach had two sides. The first one takes raw data and 
produces immediate results and the second one takes this 
immediate results and produce final results [19]. 

Hybrid architecture is designed and proved that it can improve the 
performance [20]. Hybrid approach can help both anomalies and 
misuse detection [20] to combine Host based Intrusion Detection 
System (HIDS) and Network Based Intmsion Detection System 
(NIDS). 

Articles written for types of hybrid classifier are shown in table 
3. While year- wise work done for hybrid classifier is shown in 
figure 1 from years 2000 to 2012 is shown in figure 3. 



Table 3: Articles written for types of hybrid Classifiers with 
different categories. 



Category 


Articles 

Written 


DT, SVM 


[18, 133, 143] 


SOM, DT 


[30] 


Neural network Model (NNM), 
Asymmetric Cost 


[92] 


Fussy logic (FL), traditional rule based 
expert system (TRBES) 


[93] 


SVM, linear genetic programmed 
(LGP), Bees Algorithm (BA) 


[94] 


Evolutionary Algorithm (EA), Swarm 
Optimizing Algorithm (SO A) 


[95] 


Five different fusion rules 


[97] 


NNM, SOM 


[99] 


SVM, Clustering Method, Ant Colony 
Algorithm 


[100] 


SOM, Principle Component Analysis 
(PCA) 


[103] 


GA, Clustering 


[104] 


PCA, NN 


[105] 


Mining Fuzzy Association Rules, Fuzzy 
Frequency Episodes 


[106] 


Three layer NN & offline analysis 


[107] 


Classification, Association 


[108] 


FL, Artificial Intelligent (AI) 


[109] 


GA, DT 


[HI] 


GA, FL 


[112, 150] 


Three Classifier, Clustering Algorithm 


[114] 


Two Hierarchical Based Framework, 
Radial Basis Function (RBF) 


[115] 


UCSM 


[8] 


Genetic Fuzzy Systems (GFSs), 
Pittsburg Approach 


[48] 


Bayesian Network, HMM 


[118] 


PLS, CVM 


[119] 


Immune Genetic Algorithm (IGA) 


[120] 


Noise Reduced Payload Based Fuzzy 
Support Vector, FSVM 


[121] 


FL, HMM 


[122] 


SVM, Fuzzy Algorithm (FA) 


[123] 


SVM, GA 


[124] 


SOM, K-Means 


[125] 


FSVM, RS 


[126] 


Fuzzy Support Vector Machine 


[127] 


SA, SVM, DT 


[128] 


SVM, RS 


[129] 



SVM, RBFNN 


[130] 


SVM, HM, TSM 


[131] 


KNN, NB 


[132] 


PCA, DT 


[134] 


TASVM 


[135] 


SOM, Artificial Immune System (AIS) 


[136] 


SVM, MLP 


[137] 


GA, NN 


[138] 


GA, KNN 


[139] 


SOM, NN, K-Means 


[140] 


RBF, Elman Neural Network 


[141] 


K-NN, TAAN 


[142] 


ANN, FC 


[144] 


SVM, DT, Kernel Fisher discriminant 
Analysis (KFDA) 


[145] 


SVM, FL 


[146] 


DT, Bayesian Clustering 


[147] 


SVM, FCM, PSO 


[148] 


SVM, Artificial Immunization 

Algorithm 


[149] 



2.3. Ensemble Classifiers 

It is used to improve the performance of single classification 
[21]. Ensemble classifiers combine weak single classifiers and 
collectively produce a better result [22]. It provides a new and 
accepted solution for many applications. Table 3 and figure 1 
show year- wise work done on Ensemble classification of IDS. 
Articles written for types of Ensemble classifier are shown in 
table 4, while year-wise work done for Ensemble classifier is 
shown in figure 1 from years 2000 to 2012 is shown in figure 1. 



Table 4: Articles written for types of Ensemble Classifiers 
with different categories. 



Category 


Articles 

Written 


SVM, DT 


[18, 158] 


MLP, RBF 


[20] 


Multiple Classifier System (MCS) 


[97, 161] 


GA, FL 


[150] 


HMM, Statistical Rule Based Method 
(SRBM) 


[151] 


Standard Machine Learning, Clustering 
Technique 


[152] 


SVM, MARs, ANN 


[153] 


DT 


[154] 


SVC, K-means, Density Estimation 


[155] 


SVM, MK 


[156] 


Improvised GA, Neutrosophic Logic 
Classifier 


[103] 


Neurotree 


[160] 



2.3.1. Baselines 

There are different baselines used for validation and are good 
for evaluation of performance. It also shows how much the 
capacity of machine is to identify attacks and how many 
incorrect classifications can occur [23]. Figure 3 shows year- 
wise work done on baselines for IDS from years 2000 to 2012. 
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■ SVM BK-Means BK-NN bSOM bDT bGA b Bayesian 




Years 



Fig. 3. Year- wise work done for Baseline classifiers 

2.3.2. Data sets 

DARPA1998, DARPA1999 and KDD99 are the data sets, used 
for classification tasks. KDD99 is the mostly used data set. 
There are many draw backs of DARPA [24] such as normal 
attack is not realistic, false alarm behavior cannot be validated. 
KDD99 dataset is inherited from DARPA and has got the same 
limitations. These are also validated again [25]. Many people 
have worked on different datasets used for classifiers. Figure 4 
show year- wise work done on datasets from 2000 to 2012. 
These datasets are publically used and recognized as a standard 
datasets for IDS. Year- wise work done dataset used from years 
2000 to 2012 is shown in figure 4. 



BKDD99 B DARPA 199 8 B DARPA 1999 

■ Windows SYS m Network tcdump 




Years 



Fig. 4. Year- wise work done for Datasets used 

3. ANALYSIS AND COMPARISON 

The analysis of different articles written on Machine Learning 
Techniques for IDS with respect to time is discussed as under. 



3.1. Types of Classifiers 

Three types of classifiers are discussed such as single, hybrid 
and ensemble. Articles written on these types of classifiers are 
shown in table 1. Year- wise distribution of these articles is 
depicted in figure 1. 70, 62 and 15 articles are written on 
single, Hybrid and Ensemble classifier respectively. Single 
classifier got much focus in 2004, 2011 and 2012. The numbers 
of articles written are 8, 11 and 18 respectively. Many articles 
are written on single classifier from 2000 to 2012. The average 
value of hybrid classifier is 3 but in 2007 it gains much focus 
and 10 articles were written which was maximum value in that 
year. Ensemble classifier starts from 2003 and 2 articles were 
written for the first time. Ensemble classifier got much focus 
from 2009 to 2012. 




Fig. 5. Year- wise work done for types of Classifiers 



Table 5: Articles written for types Classifiers. 
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3.2. Single Classifiers 

There are many single classifiers but we have selected seven of 
them. SVM is the most popular single classifier. No of articles 
written on SVM are 31. It is the maximum number of articles 
written as compared to other types of articles. Highest numbers 
of articles are written on SVM in 2009, 20011 and 2012 which 
is 5, 6 and 7 respectively. Fuzzy logic has a very low focus. 
Average numbers of articles written for single classifiers are 9. 
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Table 6: Articles written for types Classifiers. 
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3.4.Ensemble classifiers 

SVM is also a popular technique for ensemble classifier. It is 
mostly used. SYM is used in 4 articles while DT and GA are 
used in 2 and 2 articles respectively. RBF, FL, HMM, K- 
means, ANN and SVC are used just once. 



Machine Learning Techniques used in Ensemble 
Classifier 




Fig. 8. Important techniques used in Ensemble 
Classification 

There are many machine learning techniques used in single, 
hybrid and ensemble classifiers. SVM is mostly used technique 
in single, hybrid and ensemble classifiers. After SVM the most 
popular techniques are GA and DT. SVM is used in 31 articles 
in single classifier, in 17 articles in hybrid classifiers and in 4 
articles in ensemble classifiers. SVM is also combined with 
other techniques in hybrid and ensemble classifications. 



Fig. 6. Year- wise work done for types of Classifiers. 

3.3. Hybrid Classifiers 

Important machine learning techniques used in hybrid 
classification from year 2000 to 2012 are evaluated here. SVM, 
GA and DT for hybrid classification are used in 17, 8 and 7 
articles respectively. These are also very popular techniques for 
hybrid classification. Other techniques are normally used. 



Machine Learning Techniques used in Hybrid 
Classifier 




Fig. 7. Important techniques used in Hybrid Classification. 



4. CONCLUSION AND FUTURE 
DIRECTION 

A lot of work has been done to detect and prevent the 
Intrusions. There are many machine learning techniques used 
in Intrusion Detection System and they comprised single, 
hybrid and ensemble classifiers. Many resources have been 
used on various machine learning techniques. These techniques 
work very well for IDS but it is known that there is not even a 
single technique that can identify all types of attacks. Therefore 
it still needs more efforts to improve the performance of 
machine learning techniques to identify all types of attacks and 
false alarms should be reduced. 

There are many classifications but none of them is complete. 
Hybrid classification is closer one. If we take two or three best 
single classifiers and improve them a little more and combine 
them and used it as a single hybrid classifier. False alarm alerts 
must be reduced and feature selection algorithm should also be 
improved. 
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